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The Dual Ec PRNG 

• cp : prime curve -> integers 

cp (x,y) = x 

• P, Q points on the curve (per SP800-90) 



cp(r*P) 

4i/ 5/ — >cp ► o ► cp(r*Q) • f,- > LSB bitlen . 16 (f ( .) 

(s*P) 

Equations: 

r, = cp(s,*P) f, = cp(r*Q) s /+1 = cp(r*P) 



The Objection 



Point P is generator of the curve (per 
SP800-90). 

Point Q is a specified constant. It is not 
stated how it was derived. 

NIST prime curves have prime order. So 
there exists e such that Q e = P. 



The Attack 



Output: S, the set of possible values of s /+1 the internal 
state of the Dual Ec PRNG at the subsequent step. 

Suppose an attacker knows value e. 

Given: a block of output o, from a Dual EC PRNG 
Instance 

Set S = {}. 

For0<u<2 16 -1 

X- U\0j 

z = x 3 + ax + b mod p. 

If y = z 1/2 mod p exists => A = (x,y) is on the curve 

S = S U {cp(eM)}. 



How this works 



One of the values x = t t 

If >A is the point with x coordinate f,then 

A = r* Q 

Thus: 

cp(eV\) = cp(e* r* Q) = cp(r ; * P) = s /+1 . 
=> s /+1 is in S. 
|S| *2 15 



Experimental Verification 



1. Pick NISTP-256 Curve 

2. Chose random d 

3. Chose Q 2 = d*P 

4. Replace Q with Q 2 

5. Given |Output| = 32 > out block length 

6. Filter out s /+1 values that do not generate next 
2 bytes. 

In every experiment 32 bytes of output was 

sufficient to uniquely identify the internal state 
of the PRNG. 



The Main Point 



If an attacker knows of such that d*P = Q 
then they can easily compute e such that 
e*Q = P (invert mod group order) 

If an attacker knows e then they can determine a 
small number of possibilities for the internal state 
of the Dual Ec PRNG and predict future outputs. 

We do not know how the point Q was chosen, so 
we don't know if the algorithm designer knows d 
or e. 



Conclusion 



WHAT WE ARE NOT SAYING: 

NIST intentionally put a back door in this PRNG 

WHAT WE ARE SAYING: 
The prediction resistance of this PRNG (as 
presented in NIST SP800-90) is dependent on 
solving one instance of the elliptic curve discrete 
log problem. 

(And we do not know if the algorithm designer 
knew this before hand.) 



Suggestions for Improvement 



Truncate off more than the top 16 bits of 
the output block. 

- Results on extractors from x coordinates of 
EC points of prime curves suggest truncating 
off the top bitlen/2 bits is reasonable. 

Generate a random point Q for each 
instance of the PRNG. 



